Context Navigation

radiusd.conf @ 5160d62

perl-5.22

Last change on this file since 5160d62 was c5c522c, checked in by Edwin Eefting <edwin@datux.nl>, 8 years ago
initial commit, transferred from cleaned syn3 svn tree
Property mode set to `100644`
File size: 64.1 KB

Rev	Line
[c5c522c]	1	##
	2	## radiusd.conf -- FreeRADIUS server configuration file.
	3	##
	4	## http://www.freeradius.org/
	5	## $Id: radiusd.conf.in,v 1.188.2.4.2.12 2006/07/29 19:43:30 nbk Exp $
	6	##
	7
	8	# The location of other config files and
	9	# logfiles are declared in this file
	10	#
	11	# Also general configuration for modules can be done
	12	# in this file, it is exported through the API to
	13	# modules that ask for it.
	14	#
	15	# The configuration variables defined here are of the form ${foo}
	16	# They are local to this file, and do not change from request to
	17	# request.
	18	#
	19	# The per-request variables are of the form %{Attribute-Name}, and
	20	# are taken from the values of the attribute in the incoming
	21	# request. See 'doc/variables.txt' for more information.
	22
	23	prefix = /usr
	24	exec_prefix = ${prefix}
	25	sysconfdir = /home/system/radius
	26	localstatedir = /var
	27	sbindir = /usr/sbin
	28	logdir = ${localstatedir}/log/radius
	29	raddbdir = ${sysconfdir}/raddb
	30	radacctdir = ${logdir}/radacct
	31
	32	# Location of config and logfiles.
	33	confdir = ${raddbdir}
	34	run_dir = ${localstatedir}/run/radiusd
	35	#
	36	# The logging messages for the server are appended to the
	37	# tail of this file.
	38	#
	39	log_file = ${logdir}/radius.log
	40
	41	#
	42	# libdir: Where to find the rlm_* modules.
	43	#
	44	# This should be automatically set at configuration time.
	45	#
	46	# If the server builds and installs, but fails at execution time
	47	# with an 'undefined symbol' error, then you can use the libdir
	48	# directive to work around the problem.
	49	#
	50	# The cause is usually that a library has been installed on your
	51	# system in a place where the dynamic linker CANNOT find it. When
	52	# executing as root (or another user), your personal environment MAY
	53	# be set up to allow the dynamic linker to find the library. When
	54	# executing as a daemon, FreeRADIUS MAY NOT have the same
	55	# personalized configuration.
	56	#
	57	# To work around the problem, find out which library contains that symbol,
	58	# and add the directory containing that library to the end of 'libdir',
	59	# with a colon separating the directory names. NO spaces are allowed.
	60	#
	61	# e.g. libdir = /usr/local/lib:/opt/package/lib
	62	#
	63	# You can also try setting the LD_LIBRARY_PATH environment variable
	64	# in a script which starts the server.
	65	#
	66	# If that does not work, then you can re-configure and re-build the
	67	# server to NOT use shared libraries, via:
	68	#
	69	# ./configure --disable-shared
	70	# make
	71	# make install
	72	#
	73	libdir = /usr/lib
	74
	75	# pidfile: Where to place the PID of the RADIUS server.
	76	#
	77	# The server may be signalled while it's running by using this
	78	# file.
	79	#
	80	# This file is written when ONLY running in daemon mode.
	81	#
	82	# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
	83	#
	84	pidfile = ${run_dir}/radiusd.pid
	85
	86
	87	# user/group: The name (or #number) of the user/group to run radiusd as.
	88	#
	89	# If these are commented out, the server will run as the user/group
	90	# that started it. In order to change to a different user/group, you
	91	# MUST be root ( or have root privleges ) to start the server.
	92	#
	93	# We STRONGLY recommend that you run the server with as few permissions
	94	# as possible. That is, if you're not using shadow passwords, the
	95	# user and group items below should be set to 'nobody'.
	96	#
	97	# On SCO (ODT 3) use "user = nouser" and "group = nogroup".
	98	#
	99	# NOTE that some kernels refuse to setgid(group) when the value of
	100	# (unsigned)group is above 60000; don't use group nobody on these systems!
	101	#
	102	# On systems with shadow passwords, you might have to set 'group = shadow'
	103	# for the server to be able to read the shadow password file. If you can
	104	# authenticate users while in debug mode, but not in daemon mode, it may be
	105	# that the debugging mode server is running as a user that can read the
	106	# shadow info, and the user listed below can not.
	107	#
	108	#user = nobody
	109	#group = nobody
	110
	111	# max_request_time: The maximum time (in seconds) to handle a request.
	112	#
	113	# Requests which take more time than this to process may be killed, and
	114	# a REJECT message is returned.
	115	#
	116	# WARNING: If you notice that requests take a long time to be handled,
	117	# then this MAY INDICATE a bug in the server, in one of the modules
	118	# used to handle a request, OR in your local configuration.
	119	#
	120	# This problem is most often seen when using an SQL database. If it takes
	121	# more than a second or two to receive an answer from the SQL database,
	122	# then it probably means that you haven't indexed the database. See your
	123	# SQL server documentation for more information.
	124	#
	125	# Useful range of values: 5 to 120
	126	#
	127	max_request_time = 30
	128
	129	# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
	130	# to be handled, then maybe the server should delete it.
	131	#
	132	# If you're running in threaded, or thread pool mode, this setting
	133	# should probably be 'no'. Setting it to 'yes' when using a threaded
	134	# server MAY cause the server to crash!
	135	#
	136	delete_blocked_requests = no
	137
	138	# cleanup_delay: The time to wait (in seconds) before cleaning up
	139	# a reply which was sent to the NAS.
	140	#
	141	# The RADIUS request is normally cached internally for a short period
	142	# of time, after the reply is sent to the NAS. The reply packet may be
	143	# lost in the network, and the NAS will not see it. The NAS will then
	144	# re-send the request, and the server will respond quickly with the
	145	# cached reply.
	146	#
	147	# If this value is set too low, then duplicate requests from the NAS
	148	# MAY NOT be detected, and will instead be handled as seperate requests.
	149	#
	150	# If this value is set too high, then the server will cache too many
	151	# requests, and some new requests may get blocked. (See 'max_requests'.)
	152	#
	153	# Useful range of values: 2 to 10
	154	#
	155	cleanup_delay = 5
	156
	157	# max_requests: The maximum number of requests which the server keeps
	158	# track of. This should be 256 multiplied by the number of clients.
	159	# e.g. With 4 clients, this number should be 1024.
	160	#
	161	# If this number is too low, then when the server becomes busy,
	162	# it will not respond to any new requests, until the 'cleanup_delay'
	163	# time has passed, and it has removed the old requests.
	164	#
	165	# If this number is set too high, then the server will use a bit more
	166	# memory for no real benefit.
	167	#
	168	# If you aren't sure what it should be set to, it's better to set it
	169	# too high than too low. Setting it to 1000 per client is probably
	170	# the highest it should be.
	171	#
	172	# Useful range of values: 256 to infinity
	173	#
	174	max_requests = 1024
	175
	176	# bind_address: Make the server listen on a particular IP address, and
	177	# send replies out from that address. This directive is most useful
	178	# for machines with multiple IP addresses on one interface.
	179	#
	180	# It can either contain "*", or an IP address, or a fully qualified
	181	# Internet domain name. The default is "*"
	182	#
	183	# As of 1.0, you can also use the "listen" directive. See below for
	184	# more information.
	185	#
	186	bind_address = *
	187
	188	# port: Allows you to bind FreeRADIUS to a specific port.
	189	#
	190	# The default port that most NAS boxes use is 1645, which is historical.
	191	# RFC 2138 defines 1812 to be the new port. Many new servers and
	192	# NAS boxes use 1812, which can create interoperability problems.
	193	#
	194	# The port is defined here to be 0 so that the server will pick up
	195	# the machine's local configuration for the radius port, as defined
	196	# in /etc/services.
	197	#
	198	# If you want to use the default RADIUS port as defined on your server,
	199	# (usually through 'grep radius /etc/services') set this to 0 (zero).
	200	#
	201	# A port given on the command-line via '-p' over-rides this one.
	202	#
	203	# As of 1.0, you can also use the "listen" directive. See below for
	204	# more information.
	205	#
	206	port = 0
	207
	208	#
	209	# By default, the server uses "bind_address" to listen to all IP's
	210	# on a machine, or just one IP. The "port" configuration is used
	211	# to select the authentication port used when listening on those
	212	# addresses.
	213	#
	214	# If you want the server to listen on additional addresses, you can
	215	# use the "listen" section. A sample section (commented out) is included
	216	# below. This "listen" section duplicates the functionality of the
	217	# "bind_address" and "port" configuration entries, but it only listens
	218	# for authentication packets.
	219	#
	220	# If you comment out the "bind_address" and "port" configuration entries,
	221	# then it becomes possible to make the server accept only accounting,
	222	# or authentication packets. Previously, it always listened for both
	223	# types of packets, and it was impossible to make it listen for only
	224	# one type of packet.
	225	#
	226	#listen {
	227	# IP address on which to listen.
	228	# Allowed values are:
	229	# dotted quad (1.2.3.4)
	230	# hostname (radius.example.com)
	231	# wildcard (*)
	232	# ipaddr = *
	233
	234	# Port on which to listen.
	235	# Allowed values are:
	236	# integer port number (1812)
	237	# 0 means "use /etc/services for the proper port"
	238	# port = 0
	239
	240	# Type of packets to listen for.
	241	# Allowed values are:
	242	# auth listen for authentication packets
	243	# acct listen for accounting packets
	244	#
	245	# type = auth
	246	#}
	247
	248
	249	# hostname_lookups: Log the names of clients or just their IP addresses
	250	# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
	251	#
	252	# The default is 'off' because it would be overall better for the net
	253	# if people had to knowingly turn this feature on, since enabling it
	254	# means that each client request will result in AT LEAST one lookup
	255	# request to the nameserver. Enabling hostname_lookups will also
	256	# mean that your server may stop randomly for 30 seconds from time
	257	# to time, if the DNS requests take too long.
	258	#
	259	# Turning hostname lookups off also means that the server won't block
	260	# for 30 seconds, if it sees an IP address which has no name associated
	261	# with it.
	262	#
	263	# allowed values: {no, yes}
	264	#
	265	hostname_lookups = no
	266
	267	# Core dumps are a bad thing. This should only be set to 'yes'
	268	# if you're debugging a problem with the server.
	269	#
	270	# allowed values: {no, yes}
	271	#
	272	allow_core_dumps = no
	273
	274	# Regular expressions
	275	#
	276	# These items are set at configure time. If they're set to "yes",
	277	# then setting them to "no" turns off regular expression support.
	278	#
	279	# If they're set to "no" at configure time, then setting them to "yes"
	280	# WILL NOT WORK. It will give you an error.
	281	#
	282	regular_expressions = @REGEX@
	283	extended_expressions = @REGEX_EXTENDED@
	284
	285	# Log the full User-Name attribute, as it was found in the request.
	286	#
	287	# allowed values: {no, yes}
	288	#
	289	log_stripped_names = no
	290
	291	# Log authentication requests to the log file.
	292	#
	293	# allowed values: {no, yes}
	294	#
	295	log_auth = no
	296
	297	# Log passwords with the authentication requests.
	298	# log_auth_badpass - logs password if it's rejected
	299	# log_auth_goodpass - logs password if it's correct
	300	#
	301	# allowed values: {no, yes}
	302	#
	303	log_auth_badpass = no
	304	log_auth_goodpass = no
	305
	306	# usercollide: Turn "username collision" code on and off. See the
	307	# "doc/duplicate-users" file
	308	#
	309	# WARNING
	310	# !!!!!!! Setting this to "yes" may result in the server behaving
	311	# !!!!!!! strangely. The "username collision" code will ONLY work
	312	# !!!!!!! with clear-text passwords. Even then, it may not do what
	313	# !!!!!!! you want, or what you expect.
	314	# !!!!!!!
	315	# !!!!!!! We STRONGLY RECOMMEND that you do not use this feature,
	316	# !!!!!!! and that you find another way of acheiving the same goal.
	317	# !!!!!!!
	318	# !!!!!!! e,g. module fail-over. See 'doc/configurable_failover'
	319	# WARNING
	320	#
	321	usercollide = no
	322
	323	# lower_user / lower_pass:
	324	# Lower case the username/password "before" or "after"
	325	# attempting to authenticate.
	326	#
	327	# If "before", the server will first modify the request and then try
	328	# to auth the user. If "after", the server will first auth using the
	329	# values provided by the user. If that fails it will reprocess the
	330	# request after modifying it as you specify below.
	331	#
	332	# This is as close as we can get to case insensitivity. It is the
	333	# admin's job to ensure that the username on the auth db side is
	334	# also lowercase to make this work
	335	#
	336	# Default is 'no' (don't lowercase values)
	337	# Valid values = "before" / "after" / "no"
	338	#
	339	lower_user = no
	340	lower_pass = no
	341
	342	# nospace_user / nospace_pass:
	343	#
	344	# Some users like to enter spaces in their username or password
	345	# incorrectly. To save yourself the tech support call, you can
	346	# eliminate those spaces here:
	347	#
	348	# Default is 'no' (don't remove spaces)
	349	# Valid values = "before" / "after" / "no" (explanation above)
	350	#
	351	nospace_user = no
	352	nospace_pass = no
	353
	354	# The program to execute to do concurrency checks.
	355	checkrad = ${sbindir}/checkrad
	356
	357	# SECURITY CONFIGURATION
	358	#
	359	# There may be multiple methods of attacking on the server. This
	360	# section holds the configuration items which minimize the impact
	361	# of those attacks
	362	#
	363	security {
	364	#
	365	# max_attributes: The maximum number of attributes
	366	# permitted in a RADIUS packet. Packets which have MORE
	367	# than this number of attributes in them will be dropped.
	368	#
	369	# If this number is set too low, then no RADIUS packets
	370	# will be accepted.
	371	#
	372	# If this number is set too high, then an attacker may be
	373	# able to send a small number of packets which will cause
	374	# the server to use all available memory on the machine.
	375	#
	376	# Setting this number to 0 means "allow any number of attributes"
	377	max_attributes = 200
	378
	379	#
	380	# reject_delay: When sending an Access-Reject, it can be
	381	# delayed for a few seconds. This may help slow down a DoS
	382	# attack. It also helps to slow down people trying to brute-force
	383	# crack a users password.
	384	#
	385	# Setting this number to 0 means "send rejects immediately"
	386	#
	387	# If this number is set higher than 'cleanup_delay', then the
	388	# rejects will be sent at 'cleanup_delay' time, when the request
	389	# is deleted from the internal cache of requests.
	390	#
	391	# Useful ranges: 1 to 5
	392	reject_delay = 1
	393
	394	#
	395	# status_server: Whether or not the server will respond
	396	# to Status-Server requests.
	397	#
	398	# Normally this should be set to "no", because they're useless.
	399	# See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives
	400	#
	401	# However, certain NAS boxes may require them.
	402	#
	403	# When sent a Status-Server message, the server responds with
	404	# an Access-Accept packet, containing a Reply-Message attribute,
	405	# which is a string describing how long the server has been
	406	# running.
	407	#
	408	status_server = no
	409	}
	410
	411	# PROXY CONFIGURATION
	412	#
	413	# proxy_requests: Turns proxying of RADIUS requests on or off.
	414	#
	415	# The server has proxying turned on by default. If your system is NOT
	416	# set up to proxy requests to another server, then you can turn proxying
	417	# off here. This will save a small amount of resources on the server.
	418	#
	419	# If you have proxying turned off, and your configuration files say
	420	# to proxy a request, then an error message will be logged.
	421	#
	422	# To disable proxying, change the "yes" to "no", and comment the
	423	# $INCLUDE line.
	424	#
	425	# allowed values: {no, yes}
	426	#
	427	#proxy_requests = yes
	428	#$INCLUDE ${confdir}/proxy.conf
	429
	430
	431	# CLIENTS CONFIGURATION
	432	#
	433	# Client configuration is defined in "clients.conf".
	434	#
	435
	436	# The 'clients.conf' file contains all of the information from the old
	437	# 'clients' and 'naslist' configuration files. We recommend that you
	438	# do NOT use 'client's or 'naslist', although they are still
	439	# supported.
	440	#
	441	# Anything listed in 'clients.conf' will take precedence over the
	442	# information from the old-style configuration files.
	443	#
	444	#
	445	$INCLUDE ${confdir}/clients.conf
	446
	447
	448	# SNMP CONFIGURATION
	449	#
	450	# Snmp configuration is only valid if SNMP support was enabled
	451	# at compile time.
	452	#
	453	# To enable SNMP querying of the server, set the value of the
	454	# 'snmp' attribute to 'yes'
	455	#
	456	snmp = no
	457	#$INCLUDE ${confdir}/snmp.conf
	458
	459
	460	# THREAD POOL CONFIGURATION
	461	#
	462	# The thread pool is a long-lived group of threads which
	463	# take turns (round-robin) handling any incoming requests.
	464	#
	465	# You probably want to have a few spare threads around,
	466	# so that high-load situations can be handled immediately. If you
	467	# don't have any spare threads, then the request handling will
	468	# be delayed while a new thread is created, and added to the pool.
	469	#
	470	# You probably don't want too many spare threads around,
	471	# otherwise they'll be sitting there taking up resources, and
	472	# not doing anything productive.
	473	#
	474	# The numbers given below should be adequate for most situations.
	475	#
	476	thread pool {
	477	# Number of servers to start initially --- should be a reasonable
	478	# ballpark figure.
	479	start_servers = 5
	480
	481	# Limit on the total number of servers running.
	482	#
	483	# If this limit is ever reached, clients will be LOCKED OUT, so it
	484	# should NOT BE SET TOO LOW. It is intended mainly as a brake to
	485	# keep a runaway server from taking the system with it as it spirals
	486	# down...
	487	#
	488	# You may find that the server is regularly reaching the
	489	# 'max_servers' number of threads, and that increasing
	490	# 'max_servers' doesn't seem to make much difference.
	491	#
	492	# If this is the case, then the problem is MOST LIKELY that
	493	# your back-end databases are taking too long to respond, and
	494	# are preventing the server from responding in a timely manner.
	495	#
	496	# The solution is NOT do keep increasing the 'max_servers'
	497	# value, but instead to fix the underlying cause of the
	498	# problem: slow database, or 'hostname_lookups=yes'.
	499	#
	500	# For more information, see 'max_request_time', above.
	501	#
	502	max_servers = 32
	503
	504	# Server-pool size regulation. Rather than making you guess
	505	# how many servers you need, FreeRADIUS dynamically adapts to
	506	# the load it sees, that is, it tries to maintain enough
	507	# servers to handle the current load, plus a few spare
	508	# servers to handle transient load spikes.
	509	#
	510	# It does this by periodically checking how many servers are
	511	# waiting for a request. If there are fewer than
	512	# min_spare_servers, it creates a new spare. If there are
	513	# more than max_spare_servers, some of the spares die off.
	514	# The default values are probably OK for most sites.
	515	#
	516	min_spare_servers = 3
	517	max_spare_servers = 10
	518
	519	# There may be memory leaks or resource allocation problems with
	520	# the server. If so, set this value to 300 or so, so that the
	521	# resources will be cleaned up periodically.
	522	#
	523	# This should only be necessary if there are serious bugs in the
	524	# server which have not yet been fixed.
	525	#
	526	# '0' is a special value meaning 'infinity', or 'the servers never
	527	# exit'
	528	max_requests_per_server = 0
	529	}
	530
	531	# MODULE CONFIGURATION
	532	#
	533	# The names and configuration of each module is located in this section.
	534	#
	535	# After the modules are defined here, they may be referred to by name,
	536	# in other sections of this configuration file.
	537	#
	538	modules {
	539	#
	540	# Each module has a configuration as follows:
	541	#
	542	# name [ instance ] {
	543	# config_item = value
	544	# ...
	545	# }
	546	#
	547	# The 'name' is used to load the 'rlm_name' library
	548	# which implements the functionality of the module.
	549	#
	550	# The 'instance' is optional. To have two different instances
	551	# of a module, it first must be referred to by 'name'.
	552	# The different copies of the module are then created by
	553	# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
	554	#
	555	# The instance names can then be used in later configuration
	556	# INSTEAD of the original 'name'. See the 'radutmp' configuration
	557	# below for an example.
	558	#
	559
	560	# PAP module to authenticate users based on their stored password
	561	#
	562	# Supports multiple encryption schemes
	563	# clear: Clear text
	564	# crypt: Unix crypt
	565	# md5: MD5 ecnryption
	566	# sha1: SHA1 encryption.
	567	# DEFAULT: crypt
	568	pap {
	569	encryption_scheme = crypt
	570	}
	571
	572	# CHAP module
	573	#
	574	# To authenticate requests containing a CHAP-Password attribute.
	575	#
	576	chap {
	577	authtype = CHAP
	578	}
	579
	580	# Pluggable Authentication Modules
	581	#
	582	# For Linux, see:
	583	# http://www.kernel.org/pub/linux/libs/pam/index.html
	584	#
	585	# WARNING: On many systems, the system PAM libraries have
	586	# memory leaks! We STRONGLY SUGGEST that you do not
	587	# use PAM for authentication, due to those memory leaks.
	588	#
	589	pam {
	590	#
	591	# The name to use for PAM authentication.
	592	# PAM looks in /etc/pam.d/${pam_auth_name}
	593	# for it's configuration. See 'redhat/radiusd-pam'
	594	# for a sample PAM configuration file.
	595	#
	596	# Note that any Pam-Auth attribute set in the 'authorize'
	597	# section will over-ride this one.
	598	#
	599	pam_auth = radiusd
	600	}
	601
	602	# Unix /etc/passwd style authentication
	603	#
	604	unix {
	605	#
	606	# Cache /etc/passwd, /etc/shadow, and /etc/group
	607	#
	608	# The default is to NOT cache them.
	609	#
	610	# For FreeBSD and NetBSD, you do NOT want to enable
	611	# the cache, as it's password lookups are done via a
	612	# database, so set this value to 'no'.
	613	#
	614	# Some systems (e.g. RedHat Linux with pam_pwbd) can
	615	# take seconds to check a password, when th passwd
	616	# file containing 1000's of entries. For those systems,
	617	# you should set the cache value to 'yes', and set
	618	# the locations of the 'passwd', 'shadow', and 'group'
	619	# files, below.
	620	#
	621	# allowed values: {no, yes}
	622	cache = no
	623
	624	# Reload the cache every 600 seconds (10mins). 0 to disable.
	625	cache_reload = 600
	626
	627	#
	628	# Define the locations of the normal passwd, shadow, and
	629	# group files.
	630	#
	631	# 'shadow' is commented out by default, because not all
	632	# systems have shadow passwords.
	633	#
	634	# To force the module to use the system password functions,
	635	# instead of reading the files, leave the following entries
	636	# commented out.
	637	#
	638	# This is required for some systems, like FreeBSD,
	639	# and Mac OSX.
	640	#
	641	# passwd = /etc/passwd
	642	# shadow = /etc/shadow
	643	# group = /etc/group
	644
	645	#
	646	# The location of the "wtmp" file.
	647	# This should be moved to it's own module soon.
	648	#
	649	# The only use for 'radlast'. If you don't use
	650	# 'radlast', then you can comment out this item.
	651	#
	652	radwtmp = ${logdir}/radwtmp
	653	}
	654
	655
	656	# Microsoft CHAP authentication
	657	#
	658	# This module supports MS-CHAP and MS-CHAPv2 authentication.
	659	# It also enforces the SMB-Account-Ctrl attribute.
	660	#
	661	mschap {
	662	#
	663	# As of 0.9, the mschap module does NOT support
	664	# reading from /etc/smbpasswd.
	665	#
	666	# If you are using /etc/smbpasswd, see the 'passwd'
	667	# module for an example of how to use /etc/smbpasswd
	668
	669	# if use_mppe is not set to no mschap will
	670	# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
	671	# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
	672	#
	673	use_mppe = yes
	674
	675	# if mppe is enabled require_encryption makes
	676	# encryption moderate
	677	#
	678	require_encryption = yes
	679
	680	# require_strong always requires 128 bit key
	681	# encryption
	682	#
	683	require_strong = yes
	684
	685	# Windows sends us a username in the form of
	686	# DOMAIN\user, but sends the challenge response
	687	# based on only the user portion. This hack
	688	# corrects for that incorrect behavior.
	689	#
	690	#with_ntdomain_hack = no
	691
	692	# The module can perform authentication itself, OR
	693	# use a Windows Domain Controller. This configuration
	694	# directive tells the module to call the ntlm_auth
	695	# program, which will do the authentication, and return
	696	# the NT-Key. Note that you MUST have "winbindd" and
	697	# "nmbd" running on the local machine for ntlm_auth
	698	# to work. See the ntlm_auth program documentation
	699	# for details.
	700	#
	701	# Be VERY careful when editing the following line!
	702	#
	703	#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
	704	}
	705
	706	# Lightweight Directory Access Protocol (LDAP)
	707	#
	708	# This module definition allows you to use LDAP for
	709	# authorization and authentication.
	710	#
	711	# See doc/rlm_ldap for description of configuration options
	712	# and sample authorize{} and authenticate{} blocks
	713	#
	714	# However, LDAP can be used for authentication ONLY when the
	715	# Access-Request packet contains a clear-text User-Password
	716	# attribute. LDAP authentication will NOT work for any other
	717	# authentication method.
	718	#
	719	# This means that LDAP servers don't understand EAP. If you
	720	# force "Auth-Type = LDAP", and then send the server a
	721	# request containing EAP authentication, then authentication
	722	# WILL NOT WORK.
	723	#
	724	# The solution is to use the default configuration, which does
	725	# work.
	726	#
	727	# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
	728	# really can't emphasize this enough.
	729	#
	730	ldap {
	731	server = "ldap-master"
	732	identity = "cn=Manager,dc=syn-3"
	733	password = asje2
	734	basedn = "dc=syn-3"
	735	filter = "(&(OXGroupID=520)(uid=%u))"
	736	base_filter = "(objectclass=OXUserObject)"
	737
	738	# set this to 'yes' to use TLS encrypted connections
	739	# to the LDAP database by using the StartTLS extended
	740	# operation.
	741	# The StartTLS operation is supposed to be used with normal
	742	# ldap connections instead of using ldaps (port 689) connections
	743	start_tls = no
	744
	745	# tls_cacertfile = /path/to/cacert.pem
	746	# tls_cacertdir = /path/to/ca/dir/
	747	# tls_certfile = /path/to/radius.crt
	748	# tls_keyfile = /path/to/radius.key
	749	# tls_randfile = /path/to/rnd
	750	# tls_require_cert = "demand"
	751
	752	# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
	753	# profile_attribute = "radiusProfileDn"
	754	#access_attr = "OXUserObject"
	755
	756	# Mapping of RADIUS dictionary attributes to LDAP
	757	# directory attributes.
	758	dictionary_mapping = ${raddbdir}/ldap.attrmap
	759
	760	ldap_connections_number = 5
	761
	762	#
	763	# NOTICE: The password_header directive is NOT case insensitive
	764	#
	765	#password_header = "{CRYPT}"
	766	#
	767	# Set:
	768	password_attribute = userPassword
	769	#
	770	# to get the user's password from a Novell eDirectory
	771	# backend. This will work only if freeRADIUS is
	772	# configured to build with --with-edir option.
	773	#
	774	#
	775	# The server can usually figure this out on its own, and pull
	776	# the correct User-Password or NT-Password from the database.
	777	#
	778	# Note that NT-Passwords MUST be stored as a 32-digit hex
	779	# string, and MUST start off with "0x", such as:
	780	#
	781	# 0x000102030405060708090a0b0c0d0e0f
	782	#
	783	# Without the leading "0x", NT-Passwords will not work.
	784	# This goes for NT-Passwords stored in SQL, too.
	785	#
	786	# password_attribute = userPassword
	787	#
	788	# Un-comment the following to disable Novell eDirectory account
	789	# policy check and intruder detection. This will work only if
	790	# FreeRADIUS is configured to build with --with-edir option.
	791	#
	792	# edir_account_policy_check=no
	793	#
	794	timeout = 4
	795	timelimit = 3
	796	net_timeout = 1
	797	compare_check_items = no
	798	# do_xlat = yes
	799	# access_attr_used_for_allow = yes
	800
	801	#
	802	# By default, if the packet contains a User-Password,
	803	# and no other module is configured to handle the
	804	# authentication, the LDAP module sets itself to do
	805	# LDAP bind for authentication.
	806	#
	807	# You can disable this behavior by setting the following
	808	# configuration entry to "no".
	809	#
	810	# allowed values: {no, yes}
	811	set_auth_type = yes
	812	}
	813	# passwd module allows to do authorization via any passwd-like
	814	# file and to extract any attributes from these modules
	815	#
	816	# parameters are:
	817	# filename - path to filename
	818	# format - format for filename record. This parameters
	819	# correlates record in the passwd file and RADIUS
	820	# attributes.
	821	#
	822	# Field marked as '*' is key field. That is, the parameter
	823	# with this name from the request is used to search for
	824	# the record from passwd file
	825	# Attribute marked as '=' is added to reply_itmes instead
	826	# of default configure_itmes
	827	# Attribute marked as '~' is added to request_items
	828	#
	829	# Field marked as ',' may contain a comma separated list
	830	# of attributes.
	831	# authtype - if record found this Auth-Type is used to authenticate
	832	# user
	833	# hashsize - hashtable size. If 0 or not specified records are not
	834	# stored in memory and file is red on every request.
	835	# allowmultiplekeys - if few records for every key are allowed
	836	# ignorenislike - ignore NIS-related records
	837	# delimiter - symbol to use as a field separator in passwd file,
	838	# for format ':' symbol is always used. '\0', '\n' are
	839	# not allowed
	840	#
	841
	842	# An example configuration for using /etc/smbpasswd.
	843	#
	844	#passwd etc_smbpasswd {
	845	# filename = /etc/smbpasswd
	846	# format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
	847	# authtype = MS-CHAP
	848	# hashsize = 100
	849	# ignorenislike = no
	850	# allowmultiplekeys = no
	851	#}
	852
	853	# Similar configuration, for the /etc/group file. Adds a Group-Name
	854	# attribute for every group that the user is member of.
	855	#
	856	#passwd etc_group {
	857	# filename = /etc/group
	858	# format = "=Group-Name:::*,User-Name"
	859	# hashsize = 50
	860	# ignorenislike = yes
	861	# allowmultiplekeys = yes
	862	# delimiter = ":"
	863	#}
	864
	865	# Realm module, for proxying.
	866	#
	867	# You can have multiple instances of the realm module to
	868	# support multiple realm syntaxs at the same time. The
	869	# search order is defined by the order in the authorize and
	870	# preacct sections.
	871	#
	872	# Four config options:
	873	# format - must be 'prefix' or 'suffix'
	874	# delimiter - must be a single character
	875	# ignore_default - set to 'yes' or 'no'
	876	# ignore_null - set to 'yes' or 'no'
	877	#
	878	# ignore_default and ignore_null can be set to 'yes' to prevent
	879	# the module from matching against DEFAULT or NULL realms. This
	880	# may be useful if you have have multiple instances of the
	881	# realm module.
	882	#
	883	# They both default to 'no'.
	884	#
	885
	886	# 'realm/username'
	887	#
	888	# Using this entry, IPASS users have their realm set to "IPASS".
	889	realm IPASS {
	890	format = prefix
	891	delimiter = "/"
	892	ignore_default = no
	893	ignore_null = no
	894	}
	895
	896	# 'username@realm'
	897	#
	898	realm suffix {
	899	format = suffix
	900	delimiter = "@"
	901	ignore_default = no
	902	ignore_null = no
	903	}
	904
	905	# 'username%realm'
	906	#
	907	realm realmpercent {
	908	format = suffix
	909	delimiter = "%"
	910	ignore_default = no
	911	ignore_null = no
	912	}
	913
	914	#
	915	# 'domain\user'
	916	#
	917	realm ntdomain {
	918	format = prefix
	919	delimiter = "\\"
	920	ignore_default = no
	921	ignore_null = no
	922	}
	923
	924	# A simple value checking module
	925	#
	926	# It can be used to check if an attribute value in the request
	927	# matches a (possibly multi valued) attribute in the check
	928	# items This can be used for example for caller-id
	929	# authentication. For the module to run, both the request
	930	# attribute and the check items attribute must exist
	931	#
	932	# i.e.
	933	# A user has an ldap entry with 2 radiusCallingStationId
	934	# attributes with values "12345678" and "12345679". If we
	935	# enable rlm_checkval, then any request which contains a
	936	# Calling-Station-Id with one of those two values will be
	937	# accepted. Requests with other values for
	938	# Calling-Station-Id will be rejected.
	939	#
	940	# Regular expressions in the check attribute value are allowed
	941	# as long as the operator is '=~'
	942	#
	943	checkval {
	944	# The attribute to look for in the request
	945	item-name = Calling-Station-Id
	946
	947	# The attribute to look for in check items. Can be multi valued
	948	check-name = Calling-Station-Id
	949
	950	# The data type. Can be
	951	# string,integer,ipaddr,date,abinary,octets
	952	data-type = string
	953
	954	# If set to yes and we dont find the item-name attribute in the
	955	# request then we send back a reject
	956	# DEFAULT is no
	957	#notfound-reject = no
	958	}
	959
	960	# rewrite arbitrary packets. Useful in accounting and authorization.
	961	#
	962	#
	963	# The module can also use the Rewrite-Rule attribute. If it
	964	# is set and matches the name of the module instance, then
	965	# that module instance will be the only one which runs.
	966	#
	967	# Also if new_attribute is set to yes then a new attribute
	968	# will be created containing the value replacewith and it
	969	# will be added to searchin (packet, reply, proxy, proxy_reply or config).
	970	# searchfor,ignore_case and max_matches will be ignored in that case.
	971	#
	972	# Backreferences are supported: %{0} will contain the string the whole match
	973	# and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses
	974	#
	975	# If max_matches is greater than one the backreferences will correspond to the
	976	# first match
	977
	978	#
	979	#attr_rewrite sanecallerid {
	980	# attribute = Called-Station-Id
	981	# may be "packet", "reply", "proxy", "proxy_reply" or "config"
	982	# searchin = packet
	983	# searchfor = "[+ ]"
	984	# replacewith = ""
	985	# ignore_case = no
	986	# new_attribute = no
	987	# max_matches = 10
	988	# ## If set to yes then the replace string will be appended to the original string
	989	# append = no
	990	#}
	991
	992	# Preprocess the incoming RADIUS request, before handing it off
	993	# to other modules.
	994	#
	995	# This module processes the 'huntgroups' and 'hints' files.
	996	# In addition, it re-writes some weird attributes created
	997	# by some NASes, and converts the attributes into a form which
	998	# is a little more standard.
	999	#
	1000	preprocess {
	1001	huntgroups = ${confdir}/huntgroups
	1002	hints = ${confdir}/hints
	1003
	1004	# This hack changes Ascend's wierd port numberings
	1005	# to standard 0-??? port numbers so that the "+" works
	1006	# for IP address assignments.
	1007	with_ascend_hack = no
	1008	ascend_channels_per_line = 23
	1009
	1010	# Windows NT machines often authenticate themselves as
	1011	# NT_DOMAIN\username
	1012	#
	1013	# If this is set to 'yes', then the NT_DOMAIN portion
	1014	# of the user-name is silently discarded.
	1015	#
	1016	# This configuration entry SHOULD NOT be used.
	1017	# See the "realms" module for a better way to handle
	1018	# NT domains.
	1019	with_ntdomain_hack = no
	1020
	1021	# Specialix Jetstream 8500 24 port access server.
	1022	#
	1023	# If the user name is 10 characters or longer, a "/"
	1024	# and the excess characters after the 10th are
	1025	# appended to the user name.
	1026	#
	1027	# If you're not running that NAS, you don't need
	1028	# this hack.
	1029	with_specialix_jetstream_hack = no
	1030
	1031	# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
	1032	# with the attribute name again in the string, like:
	1033	#
	1034	# H323-Attribute = "h323-attribute=value".
	1035	#
	1036	# If this configuration item is set to 'yes', then
	1037	# the redundant data in the the attribute text is stripped
	1038	# out. The result is:
	1039	#
	1040	# H323-Attribute = "value"
	1041	#
	1042	# If you're not running a Cisco or Quintum NAS, you don't
	1043	# need this hack.
	1044	with_cisco_vsa_hack = no
	1045	}
	1046
	1047	# Livingston-style 'users' file
	1048	#
	1049	files {
	1050	usersfile = ${confdir}/users
	1051	acctusersfile = ${confdir}/acct_users
	1052	preproxy_usersfile = ${confdir}/preproxy_users
	1053
	1054	# If you want to use the old Cistron 'users' file
	1055	# with FreeRADIUS, you should change the next line
	1056	# to 'compat = cistron'. You can the copy your 'users'
	1057	# file from Cistron.
	1058	compat = no
	1059	}
	1060
	1061	# Write a detailed log of all accounting records received.
	1062	#
	1063	detail {
	1064	# Note that we do NOT use NAS-IP-Address here, as
	1065	# that attribute MAY BE from the originating NAS, and
	1066	# NOT from the proxy which actually sent us the
	1067	# request. The Client-IP-Address attribute is ALWAYS
	1068	# the address of the client which sent us the
	1069	# request.
	1070	#
	1071	# The following line creates a new detail file for
	1072	# every radius client (by IP address or hostname).
	1073	# In addition, a new detail file is created every
	1074	# day, so that the detail file doesn't have to go
	1075	# through a 'log rotation'
	1076	#
	1077	# If your detail files are large, you may also want
	1078	# to add a ':%H' (see doc/variables.txt) to the end
	1079	# of it, to create a new detail file every hour, e.g.:
	1080	#
	1081	# ..../detail-%Y%m%d:%H
	1082	#
	1083	# This will create a new detail file for every hour.
	1084	#
	1085	detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
	1086
	1087	#
	1088	# The Unix-style permissions on the 'detail' file.
	1089	#
	1090	# The detail file often contains secret or private
	1091	# information about users. So by keeping the file
	1092	# permissions restrictive, we can prevent unwanted
	1093	# people from seeing that information.
	1094	detailperm = 0600
	1095
	1096	#
	1097	# Certain attributes such as User-Password may be
	1098	# "sensitive", so they should not be printed in the
	1099	# detail file. This section lists the attributes
	1100	# that should be suppressed.
	1101	#
	1102	# The attributes should be listed one to a line.
	1103	#
	1104	#suppress {
	1105	# User-Password
	1106	#}
	1107	}
	1108
	1109	#
	1110	# Many people want to log authentication requests.
	1111	# Rather than modifying the server core to print out more
	1112	# messages, we can use a different instance of the 'detail'
	1113	# module, to log the authentication requests to a file.
	1114	#
	1115	# You will also need to un-comment the 'auth_log' line
	1116	# in the 'authorize' section, below.
	1117	#
	1118	# detail auth_log {
	1119	# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
	1120
	1121	#
	1122	# This MUST be 0600, otherwise anyone can read
	1123	# the users passwords!
	1124	# detailperm = 0600
	1125	# }
	1126
	1127	#
	1128	# This module logs authentication reply packets sent
	1129	# to a NAS. Both Access-Accept and Access-Reject packets
	1130	# are logged.
	1131	#
	1132	# You will also need to un-comment the 'reply_log' line
	1133	# in the 'post-auth' section, below.
	1134	#
	1135	# detail reply_log {
	1136	# detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
	1137
	1138	#
	1139	# This MUST be 0600, otherwise anyone can read
	1140	# the users passwords!
	1141	# detailperm = 0600
	1142	# }
	1143
	1144	#
	1145	# This module logs packets proxied to a home server.
	1146	#
	1147	# You will also need to un-comment the 'pre_proxy_log' line
	1148	# in the 'pre-proxy' section, below.
	1149	#
	1150	# detail pre_proxy_log {
	1151	# detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
	1152
	1153	#
	1154	# This MUST be 0600, otherwise anyone can read
	1155	# the users passwords!
	1156	# detailperm = 0600
	1157	# }
	1158
	1159	#
	1160	# This module logs response packets from a home server.
	1161	#
	1162	# You will also need to un-comment the 'post_proxy_log' line
	1163	# in the 'post-proxy' section, below.
	1164	#
	1165	# detail post_proxy_log {
	1166	# detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
	1167
	1168	#
	1169	# This MUST be 0600, otherwise anyone can read
	1170	# the users passwords!
	1171	# detailperm = 0600
	1172	# }
	1173
	1174	#
	1175	# The rlm_sql_log module appends the SQL queries in a log
	1176	# file which is read later by the radsqlrelay program.
	1177	#
	1178	# This module only performs the dynamic expansion of the
	1179	# variables found in the SQL statements. No operation is
	1180	# executed on the database server. (this could be done
	1181	# later by an external program) That means the module is
	1182	# useful only with non-"SELECT" statements.
	1183	#
	1184	# See rlm_sql_log(5) manpage.
	1185	#
	1186	# sql_log {
	1187	# path = ${radacctdir}/sql-relay
	1188	# acct_table = "radacct"
	1189	# postauth_table = "radpostauth"
	1190	#
	1191	# Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
	1192	# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
	1193	# AcctSessionTime, AcctTerminateCause) VALUES \
	1194	# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
	1195	# '%{Framed-IP-Address}', '%S', '0', '0', '');"
	1196	# Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
	1197	# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
	1198	# AcctSessionTime, AcctTerminateCause) VALUES \
	1199	# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
	1200	# '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \
	1201	# '%{Acct-Terminate-Cause}');"
	1202	# Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
	1203	# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
	1204	# AcctSessionTime, AcctTerminateCause) VALUES \
	1205	# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
	1206	# '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
	1207	#
	1208	# Post-Auth = "INSERT INTO ${postauth_table} \
	1209	# (user, pass, reply, date) VALUES \
	1210	# ('%{User-Name}', '%{User-Password:-Chap-Password}', \
	1211	# '%{reply:Packet-Type}', '%S');"
	1212	# }
	1213
	1214	#
	1215	# Create a unique accounting session Id. Many NASes re-use
	1216	# or repeat values for Acct-Session-Id, causing no end of
	1217	# confusion.
	1218	#
	1219	# This module will add a (probably) unique session id
	1220	# to an accounting packet based on the attributes listed
	1221	# below found in the packet. See doc/rlm_acct_unique for
	1222	# more information.
	1223	#
	1224	acct_unique {
	1225	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
	1226	}
	1227
	1228
	1229	# Include another file that has the SQL-related configuration.
	1230	# This is another file only because it tends to be big.
	1231	#
	1232	# The following configuration file is for use with MySQL.
	1233	#
	1234	# For Postgresql, use: ${confdir}/postgresql.conf
	1235	# For MS-SQL, use: ${confdir}/mssql.conf
	1236	# For Oracle, use: ${confdir}/oraclesql.conf
	1237	#
	1238	#$INCLUDE ${confdir}/sql.conf
	1239
	1240
	1241	# For Cisco VoIP specific accounting with Postgresql,
	1242	# use: ${confdir}/pgsql-voip.conf
	1243	#
	1244	# You will also need the sql schema from:
	1245	# src/billing/cisco_h323_db_schema-postgres.sql
	1246	# Note: This config can be use AS WELL AS the standard sql
	1247	# config if you need SQL based Auth
	1248
	1249
	1250	# Write a 'utmp' style file, of which users are currently
	1251	# logged in, and where they've logged in from.
	1252	#
	1253	# This file is used mainly for Simultaneous-Use checking,
	1254	# and also 'radwho', to see who's currently logged in.
	1255	#
	1256	radutmp {
	1257	# Where the file is stored. It's not a log file,
	1258	# so it doesn't need rotating.
	1259	#
	1260	filename = ${logdir}/radutmp
	1261
	1262	# The field in the packet to key on for the
	1263	# 'user' name, If you have other fields which you want
	1264	# to use to key on to control Simultaneous-Use,
	1265	# then you can use them here.
	1266	#
	1267	# Note, however, that the size of the field in the
	1268	# 'utmp' data structure is small, around 32
	1269	# characters, so that will limit the possible choices
	1270	# of keys.
	1271	#
	1272	# You may want instead: %{Stripped-User-Name:-%{User-Name}}
	1273	username = %{User-Name}
	1274
	1275
	1276	# Whether or not we want to treat "user" the same
	1277	# as "USER", or "User". Some systems have problems
	1278	# with case sensitivity, so this should be set to
	1279	# 'no' to enable the comparisons of the key attribute
	1280	# to be case insensitive.
	1281	#
	1282	case_sensitive = yes
	1283
	1284	# Accounting information may be lost, so the user MAY
	1285	# have logged off of the NAS, but we haven't noticed.
	1286	# If so, we can verify this information with the NAS,
	1287	#
	1288	# If we want to believe the 'utmp' file, then this
	1289	# configuration entry can be set to 'no'.
	1290	#
	1291	check_with_nas = yes
	1292
	1293	# Set the file permissions, as the contents of this file
	1294	# are usually private.
	1295	perm = 0600
	1296
	1297	callerid = "yes"
	1298	}
	1299
	1300	# "Safe" radutmp - does not contain caller ID, so it can be
	1301	# world-readable, and radwho can work for normal users, without
	1302	# exposing any information that isn't already exposed by who(1).
	1303	#
	1304	# This is another 'instance' of the radutmp module, but it is given
	1305	# then name "sradutmp" to identify it later in the "accounting"
	1306	# section.
	1307	radutmp sradutmp {
	1308	filename = ${logdir}/sradutmp
	1309	perm = 0644
	1310	callerid = "no"
	1311	}
	1312
	1313	# attr_filter - filters the attributes received in replies from
	1314	# proxied servers, to make sure we send back to our RADIUS client
	1315	# only allowed attributes.
	1316	attr_filter {
	1317	attrsfile = ${confdir}/attrs
	1318	}
	1319
	1320	# counter module:
	1321	# This module takes an attribute (count-attribute).
	1322	# It also takes a key, and creates a counter for each unique
	1323	# key. The count is incremented when accounting packets are
	1324	# received by the server. The value of the increment depends
	1325	# on the attribute type.
	1326	# If the attribute is Acct-Session-Time or of an integer type we add the
	1327	# value of the attribute. If it is anything else we increase the
	1328	# counter by one.
	1329	#
	1330	# The 'reset' parameter defines when the counters are all reset to
	1331	# zero. It can be hourly, daily, weekly, monthly or never.
	1332	#
	1333	# hourly: Reset on 00:00 of every hour
	1334	# daily: Reset on 00:00:00 every day
	1335	# weekly: Reset on 00:00:00 on sunday
	1336	# monthly: Reset on 00:00:00 of the first day of each month
	1337	#
	1338	# It can also be user defined. It should be of the form:
	1339	# num[hdwm] where:
	1340	# h: hours, d: days, w: weeks, m: months
	1341	# If the letter is ommited days will be assumed. In example:
	1342	# reset = 10h (reset every 10 hours)
	1343	# reset = 12 (reset every 12 days)
	1344	#
	1345	#
	1346	# The check-name attribute defines an attribute which will be
	1347	# registered by the counter module and can be used to set the
	1348	# maximum allowed value for the counter after which the user
	1349	# is rejected.
	1350	# Something like:
	1351	#
	1352	# DEFAULT Max-Daily-Session := 36000
	1353	# Fall-Through = 1
	1354	#
	1355	# You should add the counter module in the instantiate
	1356	# section so that it registers check-name before the files
	1357	# module reads the users file.
	1358	#
	1359	# If check-name is set and the user is to be rejected then we
	1360	# send back a Reply-Message and we log a Failure-Message in
	1361	# the radius.log
	1362	# If the count attribute is Acct-Session-Time then on each login
	1363	# we send back the remaining online time as a Session-Timeout attribute
	1364	#
	1365	# The counter-name can also be used instead of using the check-name
	1366	# like below:
	1367	#
	1368	# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
	1369	# Reply-Message = "You've used up more than one hour today"
	1370	#
	1371	# The allowed-servicetype attribute can be used to only take
	1372	# into account specific sessions. For example if a user first
	1373	# logs in through a login menu and then selects ppp there will
	1374	# be two sessions. One for Login-User and one for Framed-User
	1375	# service type. We only need to take into account the second one.
	1376	#
	1377	# The module should be added in the instantiate, authorize and
	1378	# accounting sections. Make sure that in the authorize
	1379	# section it comes after any module which sets the
	1380	# 'check-name' attribute.
	1381	#
	1382	counter daily {
	1383	filename = ${raddbdir}/db.daily
	1384	key = User-Name
	1385	count-attribute = Acct-Session-Time
	1386	reset = daily
	1387	counter-name = Daily-Session-Time
	1388	check-name = Max-Daily-Session
	1389	allowed-servicetype = Framed-User
	1390	cache-size = 5000
	1391	}
	1392
	1393	#
	1394	# This module is an SQL enabled version of the counter module.
	1395	#
	1396	# Rather than maintaining seperate (GDBM) databases of
	1397	# accounting info for each counter, this module uses the data
	1398	# stored in the raddacct table by the sql modules. This
	1399	# module NEVER does any database INSERTs or UPDATEs. It is
	1400	# totally dependent on the SQL module to process Accounting
	1401	# packets.
	1402	#
	1403	# The 'sqlmod_inst' parameter holds the instance of the sql
	1404	# module to use when querying the SQL database. Normally it
	1405	# is just "sql". If you define more and one SQL module
	1406	# instance (usually for failover situations), you can
	1407	# specify which module has access to the Accounting Data
	1408	# (radacct table).
	1409	#
	1410	# The 'reset' parameter defines when the counters are all
	1411	# reset to zero. It can be hourly, daily, weekly, monthly or
	1412	# never. It can also be user defined. It should be of the
	1413	# form:
	1414	# num[hdwm] where:
	1415	# h: hours, d: days, w: weeks, m: months
	1416	# If the letter is ommited days will be assumed. In example:
	1417	# reset = 10h (reset every 10 hours)
	1418	# reset = 12 (reset every 12 days)
	1419	#
	1420	# The 'key' parameter specifies the unique identifier for the
	1421	# counter records (usually 'User-Name').
	1422	#
	1423	# The 'query' parameter specifies the SQL query used to get
	1424	# the current Counter value from the database. There are 3
	1425	# parameters that can be used in the query:
	1426	# %k 'key' parameter
	1427	# %b unix time value of beginning of reset period
	1428	# %e unix time value of end of reset period
	1429	#
	1430	# The 'check-name' parameter is the name of the 'check'
	1431	# attribute to use to access the counter in the 'users' file
	1432	# or SQL radcheck or radcheckgroup tables.
	1433	#
	1434	# DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
	1435	# Reply-Message = "You've used up more than one hour today"
	1436	#
	1437	sqlcounter dailycounter {
	1438	counter-name = Daily-Session-Time
	1439	check-name = Max-Daily-Session
	1440	sqlmod-inst = sql
	1441	key = User-Name
	1442	reset = daily
	1443
	1444	# This query properly handles calls that span from the
	1445	# previous reset period into the current period but
	1446	# involves more work for the SQL server than those
	1447	# below
	1448	# For mysql:
	1449	query = "SELECT SUM(AcctSessionTime - \
	1450	GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
	1451	FROM radacct WHERE UserName='%{%k}' AND \
	1452	UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
	1453
	1454	# For postgresql:
	1455	# query = "SELECT SUM(AcctSessionTime - \
	1456	# GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) \
	1457	# FROM radacct WHERE UserName='%{%k}' AND \
	1458	# AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'"
	1459
	1460	# This query ignores calls that started in a previous
	1461	# reset period and continue into into this one. But it
	1462	# is a little easier on the SQL server
	1463	# For mysql:
	1464	# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
	1465	# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
	1466
	1467	# For postgresql:
	1468	# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
	1469	# UserName='%{%k}' AND AND AcctStartTime::ABSTIME::INT4 > '%b'"
	1470
	1471	# This query is the same as above, but demonstrates an
	1472	# additional counter parameter '%e' which is the
	1473	# timestamp for the end of the period
	1474	# For mysql:
	1475	# query = "SELECT SUM(AcctSessionTime) FROM radacct \
	1476	# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
	1477	# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
	1478
	1479	# For postgresql:
	1480	# query = "SELECT SUM(AcctSessionTime) FROM radacct \
	1481	# WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 \
	1482	# BETWEEN '%b' AND '%e'"
	1483	}
	1484
	1485	sqlcounter monthlycounter {
	1486	counter-name = Monthly-Session-Time
	1487	check-name = Max-Monthly-Session
	1488	sqlmod-inst = sql
	1489	key = User-Name
	1490	reset = monthly
	1491
	1492	# This query properly handles calls that span from the
	1493	# previous reset period into the current period but
	1494	# involves more work for the SQL server than those
	1495	# below
	1496	# The same notes above about the differences between mysql
	1497	# versus postgres queries apply here.
	1498	query = "SELECT SUM(AcctSessionTime - \
	1499	GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
	1500	FROM radacct WHERE UserName='%{%k}' AND \
	1501	UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
	1502
	1503	# This query ignores calls that started in a previous
	1504	# reset period and continue into into this one. But it
	1505	# is a little easier on the SQL server
	1506	# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
	1507	# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
	1508
	1509	# This query is the same as above, but demonstrates an
	1510	# additional counter parameter '%e' which is the
	1511	# timestamp for the end of the period
	1512	# query = "SELECT SUM(AcctSessionTime) FROM radacct \
	1513	# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
	1514	# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
	1515	}
	1516
	1517	#
	1518	# The "always" module is here for debugging purposes. Each
	1519	# instance simply returns the same result, always, without
	1520	# doing anything.
	1521	always fail {
	1522	rcode = fail
	1523	}
	1524	always reject {
	1525	rcode = reject
	1526	}
	1527	always ok {
	1528	rcode = ok
	1529	simulcount = 0
	1530	mpp = no
	1531	}
	1532
	1533	#
	1534	# The 'expression' module currently has no configuration.
	1535	#
	1536	# This module is useful only for 'xlat'. To use it,
	1537	# put 'exec' into the 'instantiate' section. You can then
	1538	# do dynamic translation of attributes like:
	1539	#
	1540	# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
	1541	#
	1542	# The value of the attribute will be replaced with the output
	1543	# of the program which is executed. Due to RADIUS protocol
	1544	# limitations, any output over 253 bytes will be ignored.
	1545	expr {
	1546	}
	1547
	1548	#
	1549	# The 'digest' module currently has no configuration.
	1550	#
	1551	# "Digest" authentication against a Cisco SIP server.
	1552	# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
	1553	# on performing digest authentication for Cisco SIP servers.
	1554	#
	1555	digest {
	1556	}
	1557
	1558	#
	1559	# Execute external programs
	1560	#
	1561	# This module is useful only for 'xlat'. To use it,
	1562	# put 'exec' into the 'instantiate' section. You can then
	1563	# do dynamic translation of attributes like:
	1564	#
	1565	# Attribute-Name = `%{exec:/path/to/program args}`
	1566	#
	1567	# The value of the attribute will be replaced with the output
	1568	# of the program which is executed. Due to RADIUS protocol
	1569	# limitations, any output over 253 bytes will be ignored.
	1570	#
	1571	# The RADIUS attributes from the user request will be placed
	1572	# into environment variables of the executed program, as
	1573	# described in 'doc/variables.txt'
	1574	#
	1575	exec {
	1576	wait = yes
	1577	input_pairs = request
	1578	}
	1579
	1580	#
	1581	# This is a more general example of the execute module.
	1582	#
	1583	# This one is called "echo".
	1584	#
	1585	# Attribute-Name = `%{echo:/path/to/program args}`
	1586	#
	1587	# If you wish to execute an external program in more than
	1588	# one section (e.g. 'authorize', 'pre_proxy', etc), then it
	1589	# is probably best to define a different instance of the
	1590	# 'exec' module for every section.
	1591	#
	1592	exec echo {
	1593	#
	1594	# Wait for the program to finish.
	1595	#
	1596	# If we do NOT wait, then the program is "fire and
	1597	# forget", and any output attributes from it are ignored.
	1598	#
	1599	# If we are looking for the program to output
	1600	# attributes, and want to add those attributes to the
	1601	# request, then we MUST wait for the program to
	1602	# finish, and therefore set 'wait=yes'
	1603	#
	1604	# allowed values: {no, yes}
	1605	wait = yes
	1606
	1607	#
	1608	# The name of the program to execute, and it's
	1609	# arguments. Dynamic translation is done on this
	1610	# field, so things like the following example will
	1611	# work.
	1612	#
	1613	program = "/bin/echo %{User-Name}"
	1614
	1615	#
	1616	# The attributes which are placed into the
	1617	# environment variables for the program.
	1618	#
	1619	# Allowed values are:
	1620	#
	1621	# request attributes from the request
	1622	# config attributes from the configuration items list
	1623	# reply attributes from the reply
	1624	# proxy-request attributes from the proxy request
	1625	# proxy-reply attributes from the proxy reply
	1626	#
	1627	# Note that some attributes may not exist at some
	1628	# stages. e.g. There may be no proxy-reply
	1629	# attributes if this module is used in the
	1630	# 'authorize' section.
	1631	#
	1632	input_pairs = request
	1633
	1634	#
	1635	# Where to place the output attributes (if any) from
	1636	# the executed program. The values allowed, and the
	1637	# restrictions as to availability, are the same as
	1638	# for the input_pairs.
	1639	#
	1640	output_pairs = reply
	1641
	1642	#
	1643	# When to execute the program. If the packet
	1644	# type does NOT match what's listed here, then
	1645	# the module does NOT execute the program.
	1646	#
	1647	# For a list of allowed packet types, see
	1648	# the 'dictionary' file, and look for VALUEs
	1649	# of the Packet-Type attribute.
	1650	#
	1651	# By default, the module executes on ANY packet.
	1652	# Un-comment out the following line to tell the
	1653	# module to execute only if an Access-Accept is
	1654	# being sent to the NAS.
	1655	#
	1656	#packet_type = Access-Accept
	1657	}
	1658
	1659	# Do server side ip pool management. Should be added in post-auth and
	1660	# accounting sections.
	1661	#
	1662	# The module also requires the existance of the Pool-Name
	1663	# attribute. That way the administrator can add the Pool-Name
	1664	# attribute in the user profiles and use different pools
	1665	# for different users. The Pool-Name attribute is a check item not
	1666	# a reply item.
	1667	#
	1668	# Example:
	1669	# radiusd.conf: ippool students { [...] }
	1670	# users file : DEFAULT Group == students, Pool-Name := "students"
	1671	#
	1672	# ******* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *******
	1673	# ******* THEN ERASE THE DB FILES *******
	1674	#
	1675	ippool main_pool {
	1676
	1677	# range-start,range-stop: The start and end ip
	1678	# addresses for the ip pool
	1679	range-start = 192.168.1.1
	1680	range-stop = 192.168.3.254
	1681
	1682	# netmask: The network mask used for the ip's
	1683	netmask = 255.255.255.0
	1684
	1685	# cache-size: The gdbm cache size for the db
	1686	# files. Should be equal to the number of ip's
	1687	# available in the ip pool
	1688	cache-size = 800
	1689
	1690	# session-db: The main db file used to allocate ip's to clients
	1691	session-db = ${raddbdir}/db.ippool
	1692
	1693	# ip-index: Helper db index file used in multilink
	1694	ip-index = ${raddbdir}/db.ipindex
	1695
	1696	# override: Will this ippool override a Framed-IP-Address already set
	1697	override = no
	1698
	1699	# maximum-timeout: If not zero specifies the maximum time in seconds an
	1700	# entry may be active. Default: 0
	1701	maximum-timeout = 0
	1702	}
	1703
	1704	# $INCLUDE ${confdir}/sqlippool.conf
	1705
	1706	# OTP token support. Not included by default.
	1707	# $INCLUDE ${confdir}/otp.conf
	1708
	1709	}
	1710
	1711	# Instantiation
	1712	#
	1713	# This section orders the loading of the modules. Modules
	1714	# listed here will get loaded BEFORE the later sections like
	1715	# authorize, authenticate, etc. get examined.
	1716	#
	1717	# This section is not strictly needed. When a section like
	1718	# authorize refers to a module, it's automatically loaded and
	1719	# initialized. However, some modules may not be listed in any
	1720	# of the following sections, so they can be listed here.
	1721	#
	1722	# Also, listing modules here ensures that you have control over
	1723	# the order in which they are initalized. If one module needs
	1724	# something defined by another module, you can list them in order
	1725	# here, and ensure that the configuration will be OK.
	1726	#
	1727	instantiate {
	1728	#
	1729	# Allows the execution of external scripts.
	1730	# The entire command line (and output) must fit into 253 bytes.
	1731	#
	1732	# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
	1733	exec
	1734
	1735	#
	1736	# The expression module doesn't do authorization,
	1737	# authentication, or accounting. It only does dynamic
	1738	# translation, of the form:
	1739	#
	1740	# Session-Timeout = `%{expr:2 + 3}`
	1741	#
	1742	# So the module needs to be instantiated, but CANNOT be
	1743	# listed in any other section. See 'doc/rlm_expr' for
	1744	# more information.
	1745	#
	1746	expr
	1747
	1748	#
	1749	# We add the counter module here so that it registers
	1750	# the check-name attribute before any module which sets
	1751	# it
	1752	# daily
	1753	}
	1754
	1755	# Authorization. First preprocess (hints and huntgroups files),
	1756	# then realms, and finally look in the "users" file.
	1757	#
	1758	# The order of the realm modules will determine the order that
	1759	# we try to find a matching realm.
	1760	#
	1761	# Make sure that 'preprocess' comes before any realm if you
	1762	# need to setup hints for the remote radius server
	1763	authorize {
	1764	#
	1765	# The preprocess module takes care of sanitizing some bizarre
	1766	# attributes in the request, and turning them into attributes
	1767	# which are more standard.
	1768	#
	1769	# It takes care of processing the 'raddb/hints' and the
	1770	# 'raddb/huntgroups' files.
	1771	#
	1772	# It also adds the %{Client-IP-Address} attribute to the request.
	1773	preprocess
	1774
	1775	#
	1776	# If you want to have a log of authentication requests,
	1777	# un-comment the following line, and the 'detail auth_log'
	1778	# section, above.
	1779	# auth_log
	1780
	1781	# attr_filter
	1782
	1783	#
	1784	# The chap module will set 'Auth-Type := CHAP' if we are
	1785	# handling a CHAP request and Auth-Type has not already been set
	1786	chap
	1787
	1788	#
	1789	# If the users are logging in with an MS-CHAP-Challenge
	1790	# attribute for authentication, the mschap module will find
	1791	# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
	1792	# to the request, which will cause the server to then use
	1793	# the mschap module for authentication.
	1794	mschap
	1795
	1796	#
	1797	# If you have a Cisco SIP server authenticating against
	1798	# FreeRADIUS, uncomment the following line, and the 'digest'
	1799	# line in the 'authenticate' section.
	1800	# digest
	1801
	1802	#
	1803	# Look for IPASS style 'realm/', and if not found, look for
	1804	# '@realm', and decide whether or not to proxy, based on
	1805	# that.
	1806	# IPASS
	1807
	1808	#
	1809	# If you are using multiple kinds of realms, you probably
	1810	# want to set "ignore_null = yes" for all of them.
	1811	# Otherwise, when the first style of realm doesn't match,
	1812	# the other styles won't be checked.
	1813	#
	1814	suffix
	1815	# ntdomain
	1816
	1817	#
	1818	# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
	1819	# authentication.
	1820	#
	1821	# It also sets the EAP-Type attribute in the request
	1822	# attribute list to the EAP type from the packet.
	1823
	1824	#
	1825	# Read the 'users' file
	1826	files
	1827
	1828	#
	1829	# Look in an SQL database. The schema of the database
	1830	# is meant to mirror the "users" file.
	1831	#
	1832	# See "Authorization Queries" in sql.conf
	1833	# sql
	1834
	1835	#
	1836	# If you are using /etc/smbpasswd, and are also doing
	1837	# mschap authentication, the un-comment this line, and
	1838	# configure the 'etc_smbpasswd' module, above.
	1839	# etc_smbpasswd
	1840
	1841	#
	1842	# The ldap module will set Auth-Type to LDAP if it has not
	1843	# already been set
	1844	ldap
	1845
	1846	#
	1847	# Enforce daily limits on time spent logged in.
	1848	# daily
	1849
	1850	#
	1851	# Use the checkval module
	1852	# checkval
	1853	}
	1854
	1855
	1856	# Authentication.
	1857	#
	1858	#
	1859	# This section lists which modules are available for authentication.
	1860	# Note that it does NOT mean 'try each module in order'. It means
	1861	# that a module from the 'authorize' section adds a configuration
	1862	# attribute 'Auth-Type := FOO'. That authentication type is then
	1863	# used to pick the apropriate module from the list below.
	1864	#
	1865
	1866	# In general, you SHOULD NOT set the Auth-Type attribute. The server
	1867	# will figure it out on its own, and will do the right thing. The
	1868	# most common side effect of erroneously setting the Auth-Type
	1869	# attribute is that one authentication method will work, but the
	1870	# others will not.
	1871	#
	1872	# The common reasons to set the Auth-Type attribute by hand
	1873	# is to either forcibly reject the user, or forcibly accept him.
	1874	#
	1875	authenticate {
	1876	#
	1877	# PAP authentication, when a back-end database listed
	1878	# in the 'authorize' section supplies a password. The
	1879	# password can be clear-text, or encrypted.
	1880	Auth-Type PAP {
	1881	pap
	1882	}
	1883
	1884	#
	1885	# Most people want CHAP authentication
	1886	# A back-end database listed in the 'authorize' section
	1887	# MUST supply a CLEAR TEXT password. Encrypted passwords
	1888	# won't work.
	1889	Auth-Type CHAP {
	1890	chap
	1891	}
	1892
	1893	#
	1894	# MSCHAP authentication.
	1895	Auth-Type MS-CHAP {
	1896	mschap
	1897	}
	1898
	1899	#
	1900	# If you have a Cisco SIP server authenticating against
	1901	# FreeRADIUS, uncomment the following line, and the 'digest'
	1902	# line in the 'authorize' section.
	1903	# digest
	1904
	1905	#
	1906	# Pluggable Authentication Modules.
	1907	# pam
	1908
	1909	#
	1910	# See 'man getpwent' for information on how the 'unix'
	1911	# module checks the users password. Note that packets
	1912	# containing CHAP-Password attributes CANNOT be authenticated
	1913	# against /etc/passwd! See the FAQ for details.
	1914	#
	1915	unix
	1916
	1917	# Uncomment it if you want to use ldap for authentication
	1918	#
	1919	# Note that this means "check plain-text password against
	1920	# the ldap database", which means that EAP won't work,
	1921	# as it does not supply a plain-text password.
	1922	Auth-Type LDAP {
	1923	ldap
	1924	}
	1925
	1926	#
	1927	# Allow EAP authentication.
	1928	}
	1929
	1930
	1931	#
	1932	# Pre-accounting. Decide which accounting type to use.
	1933	#
	1934	preacct {
	1935	preprocess
	1936
	1937	#
	1938	# Ensure that we have a semi-unique identifier for every
	1939	# request, and many NAS boxes are broken.
	1940	acct_unique
	1941
	1942	#
	1943	# Look for IPASS-style 'realm/', and if not found, look for
	1944	# '@realm', and decide whether or not to proxy, based on
	1945	# that.
	1946	#
	1947	# Accounting requests are generally proxied to the same
	1948	# home server as authentication requests.
	1949	# IPASS
	1950	suffix
	1951	# ntdomain
	1952
	1953	#
	1954	# Read the 'acct_users' file
	1955	files
	1956	}
	1957
	1958	#
	1959	# Accounting. Log the accounting data.
	1960	#
	1961	accounting {
	1962	#
	1963	# Create a 'detail'ed log of the packets.
	1964	# Note that accounting requests which are proxied
	1965	# are also logged in the detail file.
	1966	detail
	1967	# daily
	1968
	1969	# Update the wtmp file
	1970	#
	1971	# If you don't use "radlast", you can delete this line.
	1972	unix
	1973
	1974	#
	1975	# For Simultaneous-Use tracking.
	1976	#
	1977	# Due to packet losses in the network, the data here
	1978	# may be incorrect. There is little we can do about it.
	1979	radutmp
	1980	# sradutmp
	1981
	1982	# Return an address to the IP Pool when we see a stop record.
	1983	# main_pool
	1984
	1985	#
	1986	# Log traffic to an SQL database.
	1987	#
	1988	# See "Accounting queries" in sql.conf
	1989	# sql
	1990
	1991	#
	1992	# Instead of sending the query to the SQL server,
	1993	# write it into a log file.
	1994	#
	1995	# sql_log
	1996
	1997	# Cisco VoIP specific bulk accounting
	1998	# pgsql-voip
	1999
	2000	}
	2001
	2002
	2003	# Session database, used for checking Simultaneous-Use. Either the radutmp
	2004	# or rlm_sql module can handle this.
	2005	# The rlm_sql module is much faster
	2006	session {
	2007	radutmp
	2008
	2009	#
	2010	# See "Simultaneous Use Checking Querie" in sql.conf
	2011	# sql
	2012	}
	2013
	2014
	2015	# Post-Authentication
	2016	# Once we KNOW that the user has been authenticated, there are
	2017	# additional steps we can take.
	2018	post-auth {
	2019	# Get an address from the IP Pool.
	2020	# main_pool
	2021
	2022	#
	2023	# If you want to have a log of authentication replies,
	2024	# un-comment the following line, and the 'detail reply_log'
	2025	# section, above.
	2026	# reply_log
	2027
	2028	#
	2029	# After authenticating the user, do another SQL query.
	2030	#
	2031	# See "Authentication Logging Queries" in sql.conf
	2032	# sql
	2033
	2034	#
	2035	# Instead of sending the query to the SQL server,
	2036	# write it into a log file.
	2037	#
	2038	# sql_log
	2039
	2040	#
	2041	# Un-comment the following if you have set
	2042	# 'edir_account_policy_check = yes' in the ldap module sub-section of
	2043	# the 'modules' section.
	2044	#
	2045	# ldap
	2046	#
	2047	# Access-Reject packets are sent through the REJECT sub-section of the
	2048	# post-auth section.
	2049	# Uncomment the following and set the module name to the ldap instance
	2050	# name if you have set 'edir_account_policy_check = yes' in the ldap
	2051	# module sub-section of the 'modules' section.
	2052	#
	2053	# Post-Auth-Type REJECT {
	2054	# insert-module-name-here
	2055	# }
	2056
	2057	}
	2058
	2059	#
	2060	# When the server decides to proxy a request to a home server,
	2061	# the proxied request is first passed through the pre-proxy
	2062	# stage. This stage can re-write the request, or decide to
	2063	# cancel the proxy.
	2064	#
	2065	# Only a few modules currently have this method.
	2066	#
	2067	pre-proxy {
	2068	# attr_rewrite
	2069
	2070	# Uncomment the following line if you want to change attributes
	2071	# as defined in the preproxy_users file.
	2072	# files
	2073
	2074	# If you want to have a log of packets proxied to a home
	2075	# server, un-comment the following line, and the
	2076	# 'detail pre_proxy_log' section, above.
	2077	# pre_proxy_log
	2078	}
	2079
	2080	#
	2081	# When the server receives a reply to a request it proxied
	2082	# to a home server, the request may be massaged here, in the
	2083	# post-proxy stage.
	2084	#
	2085	post-proxy {
	2086
	2087	# If you want to have a log of replies from a home server,
	2088	# un-comment the following line, and the 'detail post_proxy_log'
	2089	# section, above.
	2090	# post_proxy_log
	2091
	2092	# attr_rewrite
	2093
	2094	# Uncomment the following line if you want to filter replies from
	2095	# remote proxies based on the rules defined in the 'attrs' file.
	2096
	2097	# attr_filter
	2098
	2099	#
	2100	# If you are proxying LEAP, you MUST configure the EAP
	2101	# module, and you MUST list it here, in the post-proxy
	2102	# stage.
	2103	#
	2104	# You MUST also use the 'nostrip' option in the 'realm'
	2105	# configuration. Otherwise, the User-Name attribute
	2106	# in the proxied request will not match the user name
	2107	# hidden inside of the EAP packet, and the end server will
	2108	# reject the EAP request.
	2109	#
	2110	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format